Static Code Analysis

Improve code quality without code execution

Static code analysis, or static analysis, is a software verification activity that analyzes source code for quality, reliability, and security. You can identify defects and security vulnerabilities that can compromise the safety and security of your application. Formal methods–based deep semantic static code analysis also enables you to diagnose run-time errors such as overflows, divide by zero, and illegally dereferenced pointers. Static analysis can be a cost-effective approach to measure and track software quality metrics without the overhead of writing test cases or instrumenting your code. In contrast to other verification techniques, static code analysis is automated, which means you can do this analysis without executing the program or developing test cases.

Basic static code analysis techniques include:

Generating code quality metrics, such as counting the number of lines of code, determining comment density, and assessing code complexity

This approach is comprehensive and complete, because every failure point in the code is identified as proven to fail, proven not to fail, may never execute (dead code), or unproven. This is particularly important for safety because one escaped defect can compromise your system, leading to tragic consequences. Growing concerns about cybersecurity bring similar challenges because it takes just one software vulnerability to exploit your application.